Researchers discover yet another batch of unscrupulous Android apps

Hot on the heels of recent stories regarding compromised Android applications, we’ve another warning to share with you. According to newly-published research coming from the International Computer Science Institute, it is believed that around 17,000 Android apps are playing loosely with Google’s guidelines around what kind of user activity can be tracked, stored, and shared with data brokers.

The term ‘data broker’ may be new to you, and it’s something that you’d expect to exist, but probably never think about. Also known as an information broker or reseller, this is a company that deals in collecting personal information about groups of consumers, then selling it on to other companies. Their primary purpose is creating detailed profiles of a user, or group of users, so that marketing and advertising agencies can buy this data and target the profiled consumers with adverts that are most likely to result in purchases.

So to summarise, some 17,000 applications on the Google Play Store are skirting the official rules around how much data they can collect, store, and sell to agencies who want to market products to you.

Advertising agencies want your data

Having a smartphone application track your activity isn’t a new concept, and it’s not inherently against Google’s policies. Rather, the way that the application tracks you, as well as how much data it collects are where the lines are drawn in the sand.

Thousands of apps track your activity, which includes data such as the applications you use and how often you use them, which is then passed to advertisers. These agencies can then target you with relevant products, meaning that they’re less likely to bombard you with products that you have zero interest in buying — this in turn increases the likelihood of success for the advertiser.

It’s a practice that has been in use for years. Just look at any of the social media applications that you use, like Instagram, Facebook, WhatsApp, and so on. How often have you mentioned or viewed a product, only to have it appear in targeted advertising next time you open a web browser? This form of tracking and advertising isn’t going anywhere anytime soon.

Tracking is achieved by using something called an advertising ID, which is a unique number assigned to every smartphone. It can be identified by any application that’s installed on that device. But there’s a weak spot that advertising companies must hate; the ID can be reset by the device user, simply by having them clear their cookies in a process that takes mere seconds. Any data linked to the ID and device is then lost.

So what can companies do to better preserve their tracking history about you and your device? Well, they can link the advertising ID to more permanent and persistent means of identification, like your device’s MAC address and IMEI number, as well as their unique Android ID. None of these identifiers can be reset, and crucially, they’re not supposed to do this.

Google provide a whole host of documentation around Android development, which includes ‘Best practices for working with Android identifiers‘. The first point only recommends that you avoid using hardware identifiers. But then the documentation elaborates further, stating that developers should “Always respect the user’s intention in resetting the advertising ID (…)” and that efforts should not be made to “bridge user resets by using a more persistent device identifier (…) to link subsequent advertising IDs together (…)”.

Do you need to do anything?

One of the leading researchers involved in this study contacted Google with the findings in Autumn 2018. Google has since responded to a tech authority, CNET, who originally reported on this problem, saying that action had been taken against several applications. As part of Google’s response, they also reiterated that advertising IDs and hardware IDs should not be used in conjunction for advertising purposes, only for fraud detection. They stated, “We take these issues very seriously (…)”, as well as highlighting that such practices are “strictly forbidden”.

Aside from hoping that Google remain stringent on these issues, there’s not much else that can be done. The sheer number of potentially affected applications means that we can’t possibly list them all out here. But we can at least rest assured that the intentions behind the flouting of Google’s guidelines were purely for the benefit of advertising agencies, and not any attempt to steal sensitive personal data.

As always, we will continue to bring you the latest news regarding malicious or dishonest applications and development practices. If you need any advice or guidance on security with regards to your mobile phone or other devices, then speak to WiseGuys on 0808 123 2820.